IPSEC / Crypto map configuration: Need to open firewall ports?

Answered Question
Jan 9th, 2008

Hi Experts,

I have the diagram below:

Server A -> A Firewall -> Router A <-> Router B <- B Firewall <- Server B

I am trying to do crypto map between Router A and B. There is NATed being done at both the firewall end.

Server A: 192.168.5.11

NATed at Firewall to 203.120.5.11

Server B: 172.16.16.11

NATed at Firewall to 203.123.16.11

I have done a permit access -list for 203.120.5.11 and 203.123.16.11 for the crypto map configuration.

But my question is whether i need to open any ports at the firewall end?

Currently the crypto not able to up.

Thanks.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 3 months ago

Cindy

At the risk of making your headache worse :)

Phase 1 of your IPSEC is working fine.

The key bit out of your error file is

local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),

Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported

This is telling you that the routers disagree between what the local and remote networks are.

As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.

Can you recheck your crypto map access-list and if still not clear post your router configs.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jon Marshall Wed, 01/09/2008 - 00:23

Hi Cindy

If the IPSEC tunnel is between the 2 routers which it sounds as if it is then the answer is it depends :). As an example

Server A telnets to Server B.

1) Is there an access-list on the A firewall on the inside interface that might stop the traffic reaching router A.

2) If not can you confirm that the firewall is doing the NAT translation correctly.

3) Assuming 1 & 2 are okay is there a rule on firewall B that allows telnet traffic from ServerA to Server B.

If 3 is okay then no you should not have to open any more ports because the return traffic will be allowed as the ASA's are stateful firewalls.

If you are using something like ping between the 2 servers you may need additional access-list entries.

When you try to initiate a connection and you have

debug crypto isa

debug crypto ipsec

turned on on router A do you see anything ?

Jon

cindylee27 Wed, 01/09/2008 - 00:36

Jon,

well the network layer is up.can ping without the crypto map configured and confirmed that the NAT working by pinging the nat ip.

headache now..

log as attached.

thanks!

Correct Answer
Jon Marshall Wed, 01/09/2008 - 00:50

Cindy

At the risk of making your headache worse :)

Phase 1 of your IPSEC is working fine.

The key bit out of your error file is

local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),

Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported

This is telling you that the routers disagree between what the local and remote networks are.

As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.

Can you recheck your crypto map access-list and if still not clear post your router configs.

Jon

cindylee27 Wed, 01/09/2008 - 01:11

Jon,

Great! Headache reduce tremendously..! :D

Put in the access list to any any..n yup,

you are right on the routers not agreeing on the local n remote networks..

i am there already..:) can see the encrpytion traffic already..thanks a lot!

Jon Marshall Wed, 01/09/2008 - 01:15

Cindy

Glad to be of help and appreciate the rating.

Good advert for Netpro - better than headache pills :)

Jon

Actions

Login or Register to take actions

This Discussion

Posted January 9, 2008 at 12:14 AM
Stats:
Replies:5 Avg. Rating:5
Views:401 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard